racoon denials

Miroslav Grepl mgrepl at redhat.com
Thu Aug 20 11:55:36 UTC 2009 

On 08/20/2009 01:42 AM, Daniel J Walsh wrote:
> On 08/18/2009 01:53 PM, Daniel Fazekas wrote:
>    
>> On Aug 18, 2009, at 19:43, Daniel J Walsh wrote:
>>
>>      
>>>> type racoon_tmp_t;
>>>> files_tmp_file(racoon_tmp_t)
>>>> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
>>>> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
>>>> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
>>>>          
>>> Ok better then the domtrans, although most of what you showed before
>>> were probably leaked file descriptors.
>>> I would really prefer not to use /tmp.
>>>        
>> I still think – though haven't actually tested it – that all those tmp
>> file accesses are caused by bash's here-doc syntax to provide input for
>> setkey. (The temp files are all named sh-thd-#UNIX_TIMESTAMP#)
>>
>> Just like the example script in ipsec-tools,
>> /etc/racoon/scripts/p1_up_down does it:
>>
>> setkey -c<<  EOT
>> spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
>>         esp/tunnel/${LOCAL}-${REMOTE}/require;
>> spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
>>         esp/tunnel/${REMOTE}-${LOCAL}/require;
>> EOT
>>
>> The only other alternative seems to be to put the rules into a
>> dynamically created temp file, which I could then place anywhere, then
>> use setkey -f to load it from there.
>>
>> "setkey takes a series of operations from standard input (if invoked
>> with -c) or the file named filename (if invoked with -f filename)."
>>
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>      
> Yes that looks correct.  So I will add the rules to rawhide.
>
>
> Miroslav can you grab the ipsec,te from rawhide and put it in F11.
>    
Added to selinux-policy-3.6.12-79.fc11



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090820/ff94e274/attachment.htm>

More information about the fedora-selinux-list mailing list